Risk assessment Process

Risk Assessment Preparation	A) Determine the objectives of the risk assessment;	Identify existing information systems and management deficiencies, as well as possible risk exposures, in accordance with the requirements for security, legal and regulatory requirements for the sustainable development of the Organization's business.
	b) Determine the scope of the risk assessment;	The scope of the risk assessment may be the organization of all information and the various types of assets, regulatory agencies, and possibly a single
		Business processes, systems or departments related to customer IP.
	c) The establishment of appropriate assessment management and implementation team;	Risk assessment Implementation Team, comprising management, related business backbone, it technology and other personnel to form a risk assessment team. If necessary, you can set
		The risk Assessment leadership group, which is attended by the assessor, the leader of the evaluation party and the relevant department heads, hires the relevant professional technical experts and
		Technical backbone composed of expert groups.
		The evaluation and implementation Team shall prepare the pre-assessment forms, documentation, testing tools and other preparation, conduct risk assessment and technical training, and
		Confidential education, to develop risk assessment process management related provisions. The Parties may, upon request of the assessed party, sign a confidential contract
		Confidentiality agreements.
	d) Conduct systematic research;	A) Operational strategy and management system;
		b) The main business functions and requirements;
		c) Network structure and network environment, including internal connection and external connection;
		d) system boundaries;
		e) The main hardware, software;
		f) data and information;
		g) sensitivity to systems and data;
		h) Personnel who support and use the system;
		i) other.
	e) Determine the basis and method of assessment;	A) Existing international standards, national standards, industry standards;
		b) The requirements and systems of the business systems of the competent authorities of the industry;
		c) system security level requirements;
		d) Security requirements for interconnected units of the system;
		e) Real-time or performance requirements of the system itself.
	f) Develop risk assessment programmes;	A) Team organization: Including assessment of team members, organizational structure, roles, responsibilities and other content;
		b) Work plan: The work plan at all stages of the risk assessment, including the contents of the work, the form of work and the results of the work;
		c) Time schedule: Time schedule for project implementation.
	g) Get top management support for risk assessment work.
Asset identification	Asset classification	Types of data, software, hardware, services, people, other (corporate image, customer relationship, etc.)
	Asset Assignment Value	Confidentiality Assignment Integrity Assignment availability Assignment asset importance level
Threat identification	Threat classification	Hardware and software failure physical environment Impact No act or operation error management not in place malicious code ultra vires or misuse network attack physical attack leak tampering repudiation
	Threat Assignment	A) Statistics of threats and their frequency in previous security incident reports;
		b) Statistics of threats and their frequencies detected in the actual environment through detection tools and various logs;
		c) Threats and frequency statistics issued by international organizations for the entire society or industry in the past one or two years, and the threat
		Police.
Identification of vulnerability	Vulnerability Identification Content	Technical fragility: Physical environment network Structure system software application Middleware Application system
		Management vulnerability: Management of technical management organizations
		Questionnaires, tool testing, manual verification, document inspection, penetration testing
	Vulnerability Assignment	The degree of exposure of the asset, the degree of difficulty in the implementation of the technology, and the degree of popularity
Existing security measures confirmed		Security measures can be divided into preventive security measures and protective measures of security. Preventive security measures can reduce the threat of use of vulnerability
		Security incidents, such as intrusion detection systems, and protective security measures to reduce the risk of
		The impact of the system.
Risk analysis	Principles of risk calculation	Risk value =r (a,t,v) = R (L (t,v), F (Ia,va)) matrix method and phase multiplication
	Risk result Determination	Risk can be divided into five levels, the higher the level, the higher the risk
	Risk management Plan	Security measures, expected effects, conditions of implementation, schedule, responsible departments, etc. that should be explicitly taken in the risk management plan
	Residual risk assessment
Risk Assessment Document Records	Evaluation process documentation and evaluation results documents resulting from the entire risk assessment process	A) Risk assessment programme: To describe the objectives, scope, personnel, assessment methods, the form of evaluation results and the progress of implementation of the risk assessment;
		b) Risk assessment procedures: Identify the purpose, responsibilities, processes, relevant documentation requirements of the assessment, and the various assets, threats, vulnerability identification and judgment bases required for the implementation of this assessment;
		c) Asset Identification checklist: Asset identification According to the asset classification method identified by the organization in the risk Assessment procedure document, forming an asset identification list, identifying the responsible person/department of the asset;
		d) A list of important assets: an inventory of important assets, including key asset names, descriptions, types, importance levels, responsible persons/departments, based on the results of asset identification and assignment;
		e) Threat list: A list of threats, including threat names, types, sources, motivations, and frequency of occurrence, based on the results of threat identification and assignment;
		(f) List of vulnerabilities: A list of vulnerabilities, including the name, description, type and severity of specific vulnerabilities, based on the results of vulnerability identification and assignment;
		g) Confirmation form of safety measures: the formation of the existing Safety check form, including the name, type, function description and effect of the security measures, according to the results of the safety measures taken;
		h) Risk Assessment Report: A summary of the overall risk assessment process and results, detailing the subjects assessed, risk assessment methodologies, assets, threats, vulnerability identification results, risk analysis, risk statistics and conclusions;
		i) Risk management plan: Develop a risk management plan for unacceptable risks in the evaluation results, select appropriate control objectives and security measures, identify responsibilities, schedules, resources, and identify the sex of the selected safety measures by evaluating the residual risk;
		j) Risk Assessment records: According to the risk assessment procedure, various field records in the risk assessment process are required to reproduce the assessment process and serve as a basis for resolving problems after ambiguity.

Risk assessment Process